Through the Security Looking Glass

Presented by Steve Meek, CISSP Agenda

Presentation Goal Quick Survey of audience Security Basics Overview Risk Management Overview Organizational Security Tools Secure By Design By the numbers Resources About The Fulcrum Group, Inc. Question and Answers

Copyright © 2014 The Fulcrum Group Inc. Goal Briefly cover content applicable to developers AND technology leaders related to security Arm listeners with “language” to interact with computer networking and security teams Exchange thoughts, suggestions and advice with other participants Increase security throughout the entire organization

Copyright © 2014 The Fulcrum Group Inc. Survey How many people are developers? How many DBAs? Networking oriented people? Security focused practitioners? Organization sizes? Bound by any compliances? What do you hope to gather from discussion today? Any general security questions you’d like me to try and weave into content?

Copyright © 2014 The Fulcrum Group Inc. Security Principles Confidentiality- Allowing only authorized subjects access to information Integrity- Allowing only authorized subjects to modify information Availability- Ensuring that information and resources are accessible when needed

Security Governance

Security Governance is the organizational processes and relationships for managing risk

Policies, Standards, Procedures, Guidelines, Baselines Organizational Structures Roles and Responsibilities

Copyright © 2014 The Fulcrum Group Inc. Information Classification Classification requires policies and procedures how data is categorized. Determines how it is accessed, updated, protected, recovered and managed, in accordance with specific application requirements

Sensitivity (Public, Private) Recovery Time Objective (RTO) Department Age Ownership Other??

Risk Management Risk Management is identifying, evaluating, and mitigating risk to an organization

It’s a cyclical, continuous process Need to know what you have Need to know what threats are likely Need to know how and how well it is protected Need to know where the gaps are

What you identify

Assets Threats/Threat-sources Vulnerabilities- Weaknesses Controls- Safeguard

Risk Management

Likelihood- probability that a risk can occur Impact- potential effect on the organization Identify inherent and residual risk in the high/high RED areas Resources always limited so prioritize actions there first Risk can never be completely eliminated

Understanding security structure

Example- Physical Security What are the physical security tools for protecting your house?

Doors Alarm Dog Windows Motion Sensor Gun Locks Crime Watch Police Fence Monitoring Insurance Protect Detect Respond

Protect Detect Respond

Executive help set Log reviews Awareness Prog. Administrative IT Policy Monitoring Security person Procedures Assessments IT training

Physical Locks/keycard Security cameras Security guard

Technical Firewall Password Policy IPS Anti-virus IDS BC/DR Plan Patching Secure new sites Group Policy Sometimes referred to as “layering security” or “defense in depth”

Company Sizes Security Categories Security Posture Appropriate server and share permissions Currently following good design, but could be tuned up Basic anti-spyware standards Currently following good design Basic anti-virus standards (file and email) Currently following good design, AV needs to be updated and tuned some Basic Group Policy settings Basic policy in place Basic Physical Security Secured server room and IDF, receptionist partially greets people on third Password protect network backups Not aware of password protection Process to disable and delete old accounts in AD Currently following, but some old or missed accounts when I checked SOHO 5-15 Use of groups and roles in Active Directory Currently following good design Anti-SPAM tools in place Currently following good design Basic Internet filtering Currently following good design Basic logging server for domain and devices Not aware of central syslog or event log server Basic wireless security enforced at office Currently following good design Encryption of PII data at rest Not aware of any tool, could be helpful Firewall and gateway protection Currently following good design Patch management Currently following good design, saw some minor server issues, but could RADIUS for multi-factor authentication Have IAS set up on DCs, looks configured for ASA SSL used to secure website traffic Currently following good design VPN for secured remote access Currently following good design Small 16-50 Written Acceptable Use Policy Started policy but not implemented, not sure of executive buy-in?

Company Sizes Security Categories Security Posture Annual Security Audit Not aware of any practice in place Application and web firewalls Not aware of any tool, have several public facing applications Application security testing Not aware of any practice in place Data classification Not efforts to go through data classification Data Loss Prevention Systems Not aware of any tool in place Data Retention Policy No official policy established Device control (including USB) Not aware of any tool in place Email vaulting for compliance Not aware of any tool in place Encrypt backups Not aware of any tool in place Encrypted data in motion/databases Not aware of any tool in place Intrusion detection/prevention Not aware of any tool in place IT Governance Policy (more complete) Have to get basic AUP in place first Network Access Control Not aware of any tool in place Monthly/ Quarterly/ Annual security scans Not aware of any tool in place Medium 51-250 Separate guest and internal wireless, advanced control Not needed from discussions Annual Security Audit or Risk Assessment Not aware of any practice in place Business Impact Assessment for DR planning Not aware of any practice in place Colocation/offsite facility for recovery Considering locating some at a remote branch Compliance Officer (for industry) Legal provides some compliance work DR/BC plan Not aware of any practice in place Email archival with discovery and search Not aware of any tool in place Monthly security scans Not aware of any practice in place Security Event Management solution Not aware of any tool in place Separation of IT duties Not aware of any practice in place Medium to Single-sign on Not aware of any tool in place Enterprise 251+

Copyright © 2014 The Fulcrum Group Inc. Secure by Design Software being designed from the ground up to be secure. Security is about regulating access to assets (systems, data, databases, intelligence) Software development can provide core functionality that is inherently dangerous self-service analytics, grabbing data from disparate systems, mobile applications (bi-directional), BI in the cloud (Amazon RedShift, Google BigQuery), offline support for applications growth of access to unstructured data

Secure software development process model at Microsoft.

Copyright © 2014 The Fulcrum Group Inc. Secure by Design The Open Web Application Security Project is an online community dedicated to web application security. They provide information on secure development of web applications and even publish things like the Top Ten list of most common attacks on web applications.

OWASP 2013 The Top 10 Most Critical Web Application Security Risks

Copyright © 2014 The Fulcrum Group Inc. Secure by Design The Cloud Security Alliance (CSA) promotes the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.

CLOUD SECURITY ALLIANCE Expanded Top Ten Big Data Security and Privacy Challenges, April 2013

Copyright © 2014 The Fulcrum Group Inc. Secure by Design Database security should provide “controlled, protected access to the contents of your database and, in the process, preserve the integrity, consistency, and overall quality of your data. Access Control- The primary method used to protect data is limiting access to the data Row level security- Controlling access to database tables or columns is frequently required and can be enacted by simply granting privileges to one of these objects. Restricting access to data contained in individual records (rows) requires additional steps. Application Access Assessment- Create security matrix to provide a visual depiction of the correlation between the operations or authorizations needed for database objects and input/output sources such as forms and reports Database Vulnerability- As more and more databases are made accessible via the Internet and web- based applications, their exposure to security threats will rise. Database Inference- Inference, or the ability to derive unknown information based on retrieved information. Use controls related to queries (suppression) or controls related to individual items in a database (concealing). Auditing- Auditing can be used to identify who accessed database objects, what actions were performed, and what data was changed. Backups- Protecting backups of data or encrypting backups Lack of consistency in operational management- Develop a consistent practice in looking after their databases, staying aware of threats and making sure that vulnerabilities are taken care of.

Copyright © 2014 The Fulcrum Group Inc. By the numbers Security statistics (2012 data breach investigations report) 70% of breaches originated in Eastern Europe; 25% of breaches originated in North America (24x7 businesses) Most data breaches caused by external attacks (organized crime, activist groups, former employees, lone hackers, organizations sponsored by foreign governments) Hacking and malware both were on the rise (81% and 69% vs. 50% and 49% in 2010) Insider incidents declined to 4% of all attacks this year Third parties detected 92% of all breaches 95% of records lost included personal information (up from 1% in 2010) Networks compromised for extended periods of time

ONLY 8% OF BREACHES DISCOVERED INTERNALLY http://www.verizonbusiness.com/about/events/2012dbir/index.xml

ISC2’s 10 Domains of Security Access Control Telecommunications and Network Security Information Security and Risk Management Applications Security Cryptography Security Architecture and Design Operations Security Business Continuity Planning and Disaster Recovery Planning Legal Regulation and Compliance Physical (Environmental Security)

Resources- Compliance for Organizations Federal Information Processing Standards (FIPS)- adhere to the same guidelines regarding security and communication Gramm-Leach-Bliley Act (GLBA) protect consumers’ personal financial information Health Insurance Portability and Accountability Act (HIPAA)- regulations for the use and disclosure of any information concerning individual health care Health Information Technology for Economic and Clinical Health (HITECH)- addresses the privacy and security concerns associated with the electronic transmission of health information Payment Card Industry Data Security Standard (PCI DSS)- standard for protecting cardholder information Sarbanes-Oxley- security, accuracy and the reliability of the systems that manage and report financial data.

NIST 800 Series Publications http://csrc.nist.gov/publications/PubsSPs.html Microsoft Security Development Lifecycle (SDL) http://www.microsoft.com/security/sdl/default.aspx Microsoft Business Intelligence and Security http://www.microsoft.com/betaexperience/nlarchive/bexp2/issue_6/Business %20Intelligence%20and%20Security.aspx MS-SQL- Securing the Tabular BI Semantic Model http://msdn.microsoft.com/en-us/library/jj127437.aspx Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page https://www.owasp.org/index.php/Cheat_Sheets https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The Cloud Security Alliance (CSA) https://cloudsecurityalliance.org/ https://cloudsecurityalliance.org/education/training/ https://cloudsecurityalliance.org/star/ Imperva Database Security http://www.imperva.com/Products/DatabaseSecurity

Copyright © 2014 The Fulcrum Group Inc. Summary Understand the language of security Use it to communicate with related teams Understand risk management and structured security approaches Make security and tools appropriate for your organization Secure your environment by paying attention to application development, web security, database security and cloud impacts Understand security vectors from reports Use resources to understand better strategies to protect yourself Get a good nights sleep

About The Fulcrum Group, Inc. Business-Focused  Company incorporated in 2002  Have clients in Fort Worth/Dallas over fifteen years  See ourselves as a service provider first  Principals highly experienced technologists AND business people  SPOT outsourced IT support program